Java zero-day holes appearing at the rate of one a day

Tongue-in-cheek tracker site drives home the point: As fast as Oracle can fix current bugs, more crop up to take their place

Raise your hand if you're tired of reading about Java zero-day security holes. I know I am. But when holes are being discovered at an average rate of more than one per day -- and with companies such as Apple, Facebook, and Twitter openly admitting they've been compromised by Java-borne malware -- it's helpful to keep a scorecard.

Here's what we've seen so far this year:

  • Oracle released Java 7 Update 11 on Jan. 13 in order to block a critical zero-day exploit in the wild. Oracle was criticized for not getting the patch out earlier, as it had been notified of at least one security hole last year.
  • Within days, the people at Polish security company Security Explorations found two new security holes in the just-released Java 7 Update 11.
  • On Feb. 1, shortly after Apple blocked Java for the second time in a month, Oracle released a slew of patches that addressed 50 separately identified security holes, 44 of which access the Java security faults through a browser. Oracle was going to release the patches on Feb. 19, but one active exploit found in the wild forced its hand, and the company let loose with Java 7 Update 13 early.

(If you're curious about the numbering system, odd-numbered Java updates are security updates; even-numbered updates are nonsecurity.)

  • On Feb. 19 -- the day originally scheduled for that 50-strong patch -- Oracle released Java 7 Update 15, which plugged five more security holes.

Stop me if this starts to sound like the Keystone Kops.

  • On Feb. 25, Security Explorations sent Oracle another vulnerability notice, this time about two more security holes. Then, on Feb. 28, security company FireEye posted details about yet another vulnerability, this time in Java 7 Update 15, which allowed attackers to download an executable called McRat. That's a particularly nasty hole, which is being exploited in the wild.
  • On March 4, Security Explorations officially notified Oracle of five more security holes in Java. Although the holes are identified separately, according to Security Explorations, "when combined together [they] can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15."
  • Also on Monday, Oracle released Java 7 Update 17, which fixed two critical holes, one of which has an exploit in the wild.

If I counted correctly, that's eight new Java zero-days discovered in the past week.

Are you having trouble keeping track of all of this? There's a warning system that deserves your attention, and it doesn't take a degree in computer science to figure it out. The Java 0-day website tells you at a glance how many days have elapsed since the appearance of the latest identified Java zero-day exploit. The site also fills you in with a list of currently registered, unfixed, and festering Java security vulnerabilities, and lets you drill down to a complete description of the most recent Java zero-day. [Ed: The original version of this post incorrectly ascribed the 0-day site to FireEye. In fact, the creator of the site appears to want to remain anonymous.]

Of course, you aren't concerned. You disabled Java in all of your browsers months ago, right?

Galen Gruman nailed it six weeks ago when he said, "Enough already. Wake up and smell the coffee: Client-side Java needs to go, and fast. Even if the current bugs can be fixed, there will be more."

This story, "Java zero-day holes appearing at the rate of one a day," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform